File: NCP_Readme_Linux_Secure_Friendly_Net_Detection_Service.html
Product: NCP Secure Friendly Net Detection Service (Linux)
Manufacturer: NCP Engineering GmbH, Nuremberg, Germany

Notes for Installation and Configuration

Functional Description

Friendly Net Detection (FND) is a technology that enables a Secure Client computer to automatically recognize a "friendly network".
The technology is designed to guarantee maximum security for the central data network - the "friendly network" - in Remote Access VPNs (Virtual Private Networks) while at the same time providing secure and transparent access to the corporate network from any network environment in which the user is required to work. FND is a client / server application that can be administered centrally:
This document describes how to install and configure a Friendly Net Detection Server. The software is implemented as a single Linux daemon (referred to as ncpfndd in this document) which is configured by specific "parameter-name=parameter-value" strings stored in ncpfnd.conf.

Prerequisites

Prior to carrying out the installation process, ensure that the prerequisites listed in the accompanying Release Notes are fulfilled.

IMPORTANT elevated (root) rights are required in order to install the software; the installing user must belong to the "sudoers" group (see sudo man pages for details) and root password will be required during the install.

Download the Software

On the system which will host the FNDS, download the latest software distribution package binary from NCP's website to a working directory; select either the x32 or x64 download directory as appropriate, dependent on host capabilities. The downloaded binary's filename will be of the form:
NCP_FNDSrv_Linux_aaa_bbb.bin
where aaa is either:
x86_64
the version to be used on 64 bit systems
or
x86
the version to be used on 32 bit systems
and bbb is the version and build number

Install the Software

The downloaded binary file incorporates the FND Server software, including a comprehensive install program; set the binary's execute permission bit and then execute the binary file.
The install program prompts for the root password before proceeding with the installation, the following illustrates a sample installation:
admin@UBUNTU64Server:~$ pwd
/home/admin
admin@UBUNTU64Server:~$ ls -la
total 7444
drwxr-xr-x 3 admin admin 4096 Mar 31 13:51 .
drwxr-xr-x 4 root root 4096 Feb 27 19:37 ..
-rw-r--r-- 1 admin admin 220 Feb 27 19:37 .bash_logout
-rw-r--r-- 1 admin admin 3486 Feb 27 19:37 .bashrc
drwx------ 2 admin admin 4096 Mar 31 13:50 .cache
-rw-rw-r-- 1 admin admin 3100296 Mar 27 11:53 NCP_FNDSrv_Linux_x86-64_2_00_16224.bin
-rw-r--r-- 1 admin admin 675 Feb 27 19:37 .profile
-rw-rw-r-- 1 admin admin 4493496 Mar 4 10:55 SecHAServerLinux3_04_15693_x64.zip
admin@UBUNTU64Server:~$ chmod +x ./NCP_FNDSrv_Linux_x86-64_2_00_16224.bin
admin@UBUNTU64Server:~$ id
uid=1001(admin) gid=1001(admin) groups=1001(admin)
admin@UBUNTU64Server:~$ ./NCP_FNDSrv_Linux_x86-64_2_00_16224.bin
-------------------------------------
> NCP Friendly Net Detection Server <
-------------------------------------

Unpacking installation data... succeeded

To continue installation, root privileges are required.
The 'sudo' utility will now be called to reinvoke the installation script with
elevated rights.

Please provide the required credentials
password for admin@UBUNTU64Server:
=== Calling installation routine ===

Checking compatibility... succeeded

No previous installation of this product was found.

You are about to install the following product version:

Product code name: fnd
Product full name: NCP Friendly Net Detection Server
Product version: 2.00
Target architecture: x86_64
Target OS: linux
Build type: opt-debug
Library type: static
Build label: release+fnd-200
Build revision: rev16224

Do you want to perform this installation?

(yes/y/no/n):
Answer "y" to the above query and the installation will proceed.

The install program automatically detects whether or not a previous version of the FNDS software is already installed on the computer; follow the appropriate instructions below, dependent on whether you are performing a New Installation or an Update Installation.

Update Installation of FNDS Software

The Update process preserves all configuration parameter settings from the previous version and hence the latest version of the ncpfndd daemon can be re-started immediately.
Secure Friendly Net Detection Service is Now Available
No further configuration work is required

New Installation of FNDS Software

Installation Language, Licence Terms & Conditions
Currently only an English version of the FNDS software is available; future versions will also support the German language.
The Software License Terms & Conditions must be accepted before the install process can run to completion.
Installation Directory
By default, the FNDS software is installed (in the 32 bit or the 64 bit version chosen) in the following directory:
/opt/ncp/fnd/ ...
Referred to as $HOME only in this document, this can be changed, as required, during the install process
Start Options for the FNDS Software
During the install process, select one of the following options
a)start the ncpfndd daemon automatically during the system boot process: the Linux distribution-specific init routine which will start and stop ncpfndd daemon will be configured as appropriate and no further installation activity is required.
or
b)start the ncpfndd daemon via other means: the Linux distribution-specific init must be configured manually - see the "Command Line Parameters" section below for details of how to determine the commands required to start and stop the ncpfndd daemon.
Installation Complete
The software installation process is now complete but the FND service is not yet configured and hence will not yet be available.
Configure the ncpfndd daemon
The ncpfndd daemon configuration parameters must be stored in ncpfnd.conf in:
/opt/ncp/fnd/etc
IMPORTANT two configuration files, ncpfnd.sam and ncpfnd.conf, are installed with the software and until ncpfnd.conf is correctly configured, the ncpfndd daemon will not start. See the ncpfnd.conf Parameter Description section below.
Controlling the state of the ncpfndd daemon
Use fnd-control to control the state of the ncpfndd daemon:
admin@UBUNTU64Server:/opt/ncp/fnd/bin$ ./fnd-control --status
Current operational status of NCP Friendly Net Detection Server

Friendly Net Detection Daemon
-----------------------------

Status: running since 31.03.2014 16:27:38
Command Line: /opt/ncp/fnd/sbin/ncpfndd -f
Process ID: 34009
admin@UBUNTU64Server:/opt/ncp/fnd/bin$
IMPORTANTUse fnd-control --help for details of how to use the fnd-control program.
Certificate-Based FND Service
If a certificate-based FND service is to be established, the CA certificate of the FND's server certificate must be stored in the CACERTS directory of the NCP Secure Client.
IMPORTANT Although a CA certificate, vpngw1.p12, is available in the FNDS installation directory, this should only be used for testing purposes. Customers are strongly advised to use certificates generated by their own PKI administration system.

ncpfnd.conf Parameter Descriptions

Parameters in ncpfnd.conf are structured into three major Groups: [General], [SysLog] and [FND-USER n].
Group names, parameter names and overall syntax must correspond to the ncpfnd.sam delivered by NCP; any errors in the syntax are liable to cause unexpected behavior.
[General]
LogLevel = 10
LogPath = /var/log/ncp/fnd
Port = 12521
#LocalIpAddr = 192.168.1.1
Logs should be monitored and cleared on a regular basis.
Port: defines the port for incoming FND requests - this port must be accessible from any machine which is deemed to be within the Friendly Network.

Pkcs12FileName = vpngw1.p12
Pkcs12Pin = 1234
File name and PIN for the FND Server Certificate - vpngw1.p12 is delivered by NCP and should only be used for test purposes.

[SysLog]
Host = 192.168.1.1
Port = 514
LogEnabled = 0
LogFacility = 24001
TraceEnabled = 0
TraceFacility = 24002
Use the SysLog facility if logs are to be accumulated on a syslog facility machine - contact NCP if you require further details about this facility.

[FND-USER 1]
Enabled = 1
UserName = testmd5
Password = testmd5
EAP-TYPE = MD5
#IPRange1 = 192.168.1.2-192.168.1.127
#IPRange2 = 192.168.1.128-192.168.1.254

[FND-USER 2]
Enabled = 1
UserName = testtls
EAP-TYPE = TLS
#IPRange1 = 192.168.1.2-192.168.1.127
#IPRange2 = 192.168.1.128-192.168.1.254
Define under each FND-USER the parameters that are to be used by an NCP Secure Client to detect when that Client is "within range" of the Friendly Net (configured in the Client Firewall under Configuration -> Firewall -> Friendly Network -> Automatic tab.)
Use IPRanges to define a specific Client address range for Friendly Net detection - contact NCP if you require assistance with this function.

Command Line Parameters

All command binaries provided with the FNDS software, including the installation binary NCP_FNDSrv_Linux_aaa_bbb.bin, can be called with the --help option in order to view the available parameter settings.
Use NCP_FNDSrv_Linux_aaa_bbb.bin --batch to run the installation process unattended - all installation options are set to their default.
Use /opt/ncp/fnd/bin/fnd-initconfig with --show-start-cmd or --show-stop-cmd to determine the correct, Linux dstribution-specific command for starting and stopping the ncpfndd daemon.

Getting Help for the NCP Secure Friendly Net Detection Server (Win32/64)

To ensure that you always have the latest information about NCP’s products, always check the NCP website at:
http://www.ncp-e.com/en/downloads/software/version-information.html
For further information about the Enterprise Client, visit:
http://www.ncp-e.com/en/products/centrally-managed-vpn-solution/managed-vpn-client-suite.html
For further assistance with the NCP Secure Friendly Net Detection Server (Win32/64), visit:
http://www.ncp-e.com/en/company/contact.html


NCP engineering GmbH, July 2014